P256 keys using Secure Enclave and Android StrongBox #706
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Aries-Askar" | |
env: | |
RUST_VERSION: "1.70.0" | |
CROSS_VERSION: "0.2.4" | |
TEST_FEATURES: "" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
actions: write | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
release: | |
types: [created] | |
workflow_dispatch: | |
inputs: | |
publish-binaries: | |
description: "Publish Binaries to Release (will create a release if no release exists for branch or tag)" | |
required: true | |
default: false | |
type: boolean | |
publish-python-wrapper: | |
description: "Publish Python Wrapper to Registries" | |
required: true | |
default: false | |
type: boolean | |
publish-javascript-wrapper: | |
description: "Publish JavaScript Wrapper to Registries" | |
required: true | |
default: false | |
type: boolean | |
jobs: | |
checks: | |
name: Run checks | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
components: clippy, rustfmt | |
- name: Cache cargo resources | |
uses: Swatinem/rust-cache@v2 | |
with: | |
shared-key: deps | |
cache-on-failure: true | |
- name: Cargo fmt | |
run: cargo fmt --all -- --check | |
- name: Cargo check | |
run: cargo check --workspace | |
- if: ${{ runner.os == 'Linux' }} | |
name: Pre-install cross | |
run: | | |
cargo install --bins --git https://github.com/rust-embedded/cross --locked --tag v${{ env.CROSS_VERSION }} cross | |
tests: | |
name: Run tests | |
needs: [checks] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
- name: Cache cargo resources | |
uses: Swatinem/rust-cache@v2 | |
with: | |
shared-key: deps | |
save-if: false | |
- name: Debug build | |
run: cargo build --all-targets | |
- if: ${{ runner.os == 'Linux' }} | |
name: Start postgres (Linux) | |
run: | | |
sudo systemctl start postgresql.service | |
pg_isready | |
sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD 'postgres'" | |
echo "POSTGRES_URL=postgres://postgres:postgres@localhost:5432/test-db" >> $GITHUB_ENV | |
echo "TEST_FEATURES=pg_test" >> $GITHUB_ENV | |
- name: Run tests | |
run: cargo test --workspace --features "${{ env.TEST_FEATURES || 'default' }}" -- --nocapture --test-threads 1 --skip contention | |
env: | |
RUST_BACKTRACE: full | |
# RUST_LOG: debug | |
- name: Test askar-crypto no default features | |
run: cargo test --manifest-path ./askar-crypto/Cargo.toml --no-default-features | |
build-release: | |
name: Build library | |
needs: [checks] | |
strategy: | |
matrix: | |
include: | |
- architecture: linux-aarch64 | |
os: ubuntu-latest | |
lib: libaries_askar.so | |
target: aarch64-unknown-linux-gnu | |
use_cross: true | |
- architecture: linux-x86_64 | |
os: ubuntu-latest | |
lib: libaries_askar.so | |
target: x86_64-unknown-linux-gnu | |
use_cross: true | |
- architecture: darwin-universal | |
os: macos-latest | |
lib: libaries_askar.dylib | |
target: darwin-universal | |
# beta or nightly required for aarch64-apple-darwin target | |
toolchain: beta | |
- architecture: windows-x86_64 | |
os: windows-latest | |
lib: aries_askar.dll | |
target: x86_64-pc-windows-msvc | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ matrix.toolchain || env.RUST_VERSION }} | |
- name: Cache cargo resources | |
uses: Swatinem/rust-cache@v2 | |
with: | |
shared-key: deps | |
save-if: false | |
- name: Build | |
shell: sh | |
run: | | |
if [ -n "${{ matrix.use_cross }}" ]; then | |
cargo install --bins --git https://github.com/rust-embedded/cross --locked --tag v${{ env.CROSS_VERSION }} cross | |
# Required for compatibility with manylinux2014. | |
# https://github.com/briansmith/ring/issues/1728 | |
if [ "${{ matrix.architecture }}" = "linux-aarch64" ]; then | |
export CFLAGS="-D__ARM_ARCH=8" | |
fi | |
cross build --lib --release --target ${{ matrix.target }} | |
elif [ "${{ matrix.architecture }}" == "darwin-universal" ]; then | |
./build-universal.sh | |
else | |
cargo build --lib --release --target ${{ matrix.target }} | |
fi | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: library-${{ matrix.architecture }} | |
path: target/${{ matrix.target }}/release/${{ matrix.lib }} | |
- name: Create artifacts directory | |
if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true') | |
run: | | |
mkdir release-artifacts | |
cp target/${{ matrix.target }}/release/${{ matrix.lib }} release-artifacts/ | |
- uses: a7ul/tar-action@v1.2.0 | |
if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true') | |
with: | |
command: c | |
cwd: release-artifacts | |
files: . | |
outPath: "library-${{ matrix.architecture }}.tar.gz" | |
- name: Add artifacts to release | |
if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true') | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
file: library-${{ matrix.architecture }}.tar.gz | |
asset_name: "library-${{ matrix.architecture }}.tar.gz" | |
build-py: | |
name: Build and test Python wrapper | |
needs: [build-release] | |
strategy: | |
matrix: | |
architecture: | |
[linux-aarch64, linux-x86_64, darwin-universal, windows-x86_64] | |
python-version: ["3.8"] | |
include: | |
- os: ubuntu-latest | |
architecture: linux-aarch64 | |
plat-name: manylinux2014_aarch64 | |
- os: ubuntu-latest | |
architecture: linux-x86_64 | |
plat-name: manylinux2014_x86_64 | |
- os: macos-latest | |
architecture: darwin-universal | |
plat-name: macosx_10_9_universal2 # macosx_10_9_x86_64 | |
- os: windows-latest | |
architecture: windows-x86_64 | |
plat-name: win_amd64 | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install setuptools wheel twine auditwheel | |
- name: Fetch library artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: library-${{ matrix.architecture }} | |
path: wrappers/python/aries_askar/ | |
- if: ${{ runner.os == 'Linux' }} | |
name: Start postgres (Linux) | |
run: | | |
sudo systemctl start postgresql.service | |
pg_isready | |
sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD 'postgres'" | |
echo "POSTGRES_URL=postgres://postgres:postgres@localhost:5432/test-db" >> $GITHUB_ENV | |
- name: Build wheel package | |
shell: sh | |
run: | | |
python setup.py bdist_wheel --python-tag=py3 --plat-name=${{ matrix.plat-name }} | |
working-directory: wrappers/python | |
- name: Run tests | |
# FIXME cross platform test the python package | |
# maybe use the cross docker image? | |
if: ${{ matrix.architecture != 'linux-aarch64' }} | |
shell: sh | |
run: | | |
pip install pytest pytest-asyncio dist/* | |
echo "-- Test SQLite in-memory --" | |
python -m pytest --log-cli-level=WARNING -k "not contention" | |
echo "-- Test SQLite file DB --" | |
TEST_STORE_URI=sqlite://test.db python -m pytest --log-cli-level=WARNING -k "not contention" | |
if [ -n "$POSTGRES_URL" ]; then | |
echo "-- Test Postgres DB --" | |
TEST_STORE_URI="$POSTGRES_URL" python -m pytest --log-cli-level=WARNING -k "not contention" | |
fi | |
working-directory: wrappers/python | |
env: | |
no_proxy: "*" # python issue 30385 | |
RUST_BACKTRACE: full | |
# RUST_LOG: debug | |
- if: ${{ runner.os == 'Linux' }} | |
name: Audit wheel | |
run: | | |
auditwheel show wrappers/python/dist/* | tee auditwheel.log | |
grep -q manylinux_2_17_ auditwheel.log | |
- if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-python-wrapper == 'true') | |
name: Publish | |
env: | |
TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} | |
TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} | |
run: | | |
twine upload --skip-existing dist/* | |
working-directory: wrappers/python | |
build-javascript: | |
name: Build and test JavaScript wrapper | |
needs: [build-release] | |
strategy: | |
matrix: | |
architecture: | |
[linux-aarch64, linux-x86_64, darwin-universal] | |
include: | |
- os: ubuntu-latest | |
architecture: linux-aarch64 | |
- os: ubuntu-latest | |
architecture: linux-x86_64 | |
- os: macos-latest | |
architecture: darwin-universal | |
runs-on: ${{ matrix.os }} | |
defaults: | |
run: | |
working-directory: wrappers/javascript | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Node.JS 18.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
- name: Fetch library artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: library-${{ matrix.architecture }} | |
- name: Install python dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install setuptools wheel twine auditwheel | |
- name: Install dependencies | |
run: yarn install | |
- name: Build | |
run: yarn build | |
- name: Lint | |
run: yarn lint | |
- name: Check format | |
run: yarn check-format | |
- name: Check types | |
run: yarn check-types | |
- name: Run tests | |
if: ${{ matrix.architecture != 'linux-aarch64' }} | |
env: | |
# binary is downloaded to root of repository | |
LIB_ARIES_ASKAR_PATH: ../../../ | |
run: yarn test | |
- name: Set NPM config | |
if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-javascript-wrapper == 'true') | |
run: | | |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> .npmrc | |
echo "registry=https://registry.npmjs.org/" >> .npmrc | |
echo "always-auth=true" >> .npmrc | |
- name: Publish JavaScript Wrapper | |
if: | | |
github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-javascript-wrapper == 'true') | |
run: | | |
if [[ $(cat lerna.json | grep version | head -1 | grep dev) ]]; then | |
npx lerna publish from-package --no-push --no-private --yes --no-git-tag-version --dist-tag=alpha | |
else | |
npx lerna publish from-package --no-push --no-private --yes --no-git-tag-version | |
fi | |
build-ios: | |
name: Build library (iOS) | |
needs: [checks] | |
runs-on: macos-latest | |
env: | |
FEATURES: "mobile_secure_element" | |
strategy: | |
matrix: | |
target: [aarch64-apple-ios, aarch64-apple-ios-sim, x86_64-apple-ios] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
targets: ${{ matrix.target }} | |
- name: Build | |
run: | | |
cargo build --lib --release --target ${{matrix.target}} --features ${{ env.FEATURES }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: library-${{ matrix.target }} | |
path: target/${{ matrix.target }}/release/libaries_askar.a | |
build-android: | |
name: Build library (Android) | |
needs: [checks] | |
env: | |
RUST_VERSION: "1.68" | |
FEATURES: "mobile_secure_element" | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
target: | |
[ | |
aarch64-linux-android, | |
armv7-linux-androideabi, | |
i686-linux-android, | |
x86_64-linux-android, | |
] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
- name: Cache cargo resources | |
uses: Swatinem/rust-cache@v2 | |
with: | |
shared-key: deps | |
save-if: false | |
- name: Build | |
run: | | |
cargo install --bins --git https://github.com/rust-embedded/cross --locked --tag v${{ env.CROSS_VERSION }} cross | |
# Required for compatibility with manylinux2014: | |
# https://github.com/briansmith/ring/issues/1728 | |
if [ "${{ matrix.target }}" = "aarch64-linux-android" ]; then | |
export CFLAGS="-D__ARM_ARCH=8" | |
fi | |
cross build --lib --release --target ${{matrix.target}} --features ${{ env.FEATURES }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: library-${{ matrix.target }} | |
path: target/${{ matrix.target }}/release/libaries_askar.so | |
create-ios-xcframework: | |
name: Create iOS xcframework | |
runs-on: macos-latest | |
needs: [build-ios] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Fetch static libraries | |
uses: actions/download-artifact@v4 | |
- run: > | |
./build-xcframework.sh library-aarch64-apple-ios \ | |
library-aarch64-apple-ios-sim \ | |
library-x86_64-apple-ios \ | |
include | |
- name: Save xcframework | |
uses: actions/upload-artifact@v4 | |
with: | |
name: aries_askar.xcframework | |
path: ./out | |
- uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: | | |
library-aarch64-apple-ios | |
library-aarch64-apple-ios-sim | |
library-x86_64-apple-ios | |
failOnError: false | |
create-android-library: | |
name: Create library (Android) | |
runs-on: ubuntu-latest | |
needs: [build-android] | |
steps: | |
- name: Fetch libraries | |
uses: actions/download-artifact@v4 | |
- run: | | |
sudo mkdir ./libs | |
sudo mv library-aarch64-linux-android ./libs/arm64-v8a | |
sudo mv library-armv7-linux-androideabi ./libs/armeabi-v7a | |
sudo mv library-i686-linux-android ./libs/x86 | |
sudo mv library-x86_64-linux-android ./libs/x86_64 | |
- name: Save Android library | |
uses: actions/upload-artifact@v4 | |
with: | |
name: android-libraries | |
path: ./libs | |
- uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: | | |
library-aarch64-linux-android | |
library-armv7-linux-androideabi | |
library-i686-linux-android | |
library-x86_64-linux-android | |
failOnError: false | |
create-ios-android-release-asset: | |
name: Create iOS and Android release assets | |
runs-on: ubuntu-latest | |
needs: | |
- create-ios-xcframework | |
- create-android-library | |
if: | | |
(github.event_name == 'release' || | |
(github.event_name == 'workflow_dispatch' && | |
github.event.inputs.publish-binaries == 'true')) | |
steps: | |
- name: Fetch Android libraries | |
uses: actions/download-artifact@v4 | |
with: | |
name: android-libraries | |
path: mobile/android/ | |
- name: Fetch iOS Framework | |
uses: actions/download-artifact@v4 | |
with: | |
name: aries_askar.xcframework | |
path: mobile/ios/ | |
- uses: a7ul/tar-action@v1.2.0 | |
with: | |
command: c | |
files: ./mobile | |
outPath: "library-ios-android.tar.gz" | |
- name: Add library artifacts to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
file: library-ios-android.tar.gz | |
asset_name: "library-ios-android.tar.gz" | |
build-success: | |
# see https://github.community/t/status-check-for-a-matrix-jobs/127354/7 | |
name: Successful build | |
needs: [tests, build-release, build-py, build-javascript] | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check all job status | |
# see https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#needs-context | |
# see https://stackoverflow.com/a/67532120/4907315 | |
if: >- | |
${{ | |
contains(needs.*.result, 'failure') | |
|| contains(needs.*.result, 'cancelled') | |
|| contains(needs.*.result, 'skipped') | |
}} | |
run: exit 1 |